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(54) Method and apparatus for performing authentication! lor roaming between different mobile 
communication systems 

secret data (SSD) network. When a user from a network 
that native^ >. on roams into a tri- 

plet-based network, the authentication interoperability 
iunc i i in lh 5 mi W W ox 

a triplet user roams into an SSD network, the AIF pro- 
duces SSD from the triplet. 



(57) A method and apparatus for p. 
roaming between two communication networks which 
utilize diffen hemes. The authenti- 

cation interoperability function (AIF) and method trans- 
late between the authentication schemes of each net- 
work, for example, a triplet-based network and a shared 
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Description 

Rold o- tic Inv ention 

[0001] The present invention relates to authentication 
of users in a con 11 li ysiern, and more particu- 

larly to the authentication of users in a wireless network 
as the user roams between two communication systems 
with differing authentication schemes. 

Description of the Related Art 

[0002] There are currently different communication 
standards utilized in 1he U.S., Europe, and Japan The 
US currently utilizes three major systems, with differing 
standards. The first system is a time division multiple 
access system (TDMA) and is governed by iS-136, the 
second system is a code division multiple access (CD- 
MA) system governed by iS-95, and the third is the Ad- 
vanced Mobile Phone System (AMPS). All three com- 
munication systems use the IS-41 standard for interays- 
i 'gi 3 hie «. 3 Dro 

cedure. 

{0003] In TDMA, users share a frequency band, each 
user's speech issrored. compressed arid Iransrnlliad as 
a quick packet, using controlled time slots to distinguish 
them, hence the phrase "time division". At the receiver, 
the packet is decompressed, In the IS-136 protocol, 
three users > a given channel 
[0004] Traditional systems transmit a single strong 
signal, perhaps iriiermitleoily. on a narrowband. In con- 
trast, CDMA works in reverse, sending a weak but very- 
broad band signal. A unique code "spreads" the signal 
across the wide area of fho spectrum (hence the alter- 
native name - spread spectrum), and the receiver uses 
the same code to recover the signal from the noise. A 
very robust a;; si i m bt established 

even for an extremely low-power signal - theoretically, 
the signal can be weaker than the noise floor. Further, 
by using different codes, a number of different channels 
can simultaneously share the same spectrum, without 
interfering with each other. 
[000S] The AMPS system is an analog system. 
[000S] Europe utilizes the Global System for Mobiles 
V.SVh roho.kri; >i > m-- ^mopr-n } t i 
munications Standard institute (ETSi). GSM now has 
the support o! 80 operators in over 40 countries includ- 
ing countries outside of Europe. GSM is a TDMA stand- 
ard, with 8 users per channel The speech Is taken in 20 
msec windows which ipled < rnci 

compressed. 

[0007] GSM is transmitted on a 900 MHz carrier. 
There is an alternative system operating af 1.8 GHz 
(DCS 18001, pr^ 

viewed as more of a personal communication system 
(PCS) than a cellular system. In a similar way, the U.S. 
has also i npfen I 
our rating on the different carrier of 1.9 GHz. 
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[0008 sona ffg iiuiar (PDC) is the Japa- 
nese standard, previously known as JDC (Japanese 
Digital Cellular). A TDMA standard similar to the U.S. 
I S-54 protocol, PDC is not m use anywnere else in the 
s world. 

[0009] The GSM network utilizes a user Identification 
module (UIM) which is a credit card sin < arc w tN h is 
owned by a subscriber, who slides the UIM into any 
GSM handset to transform It into "their" phone. It will 

io ring when their unique phone number is dialed, calls 
Trade will b ons and serv- 

ices connect; voice mail con be connected and so on. 
People with different UIMs can share one "physical" 
handset, turning it Into several "virtual" harxlrsefs. one 

« per UIM. 

[0010] Similar to the U.S. systems, the GSM network 
also permits "roaming", by which different network op- 
erators agree to recognize (and accept) subscribers 
from other networks, as phones (or UIMs) move. So, 

20 British subscribers can drive through Franca or Germa- 
ny ? ! "c u irGSf n % ocei recalls 
(on their same UK number), with as much ease as an 
American businessman can use a phone m Boston, Ml- 
am or Seattle wlihir; any one of the U.S systems 

25 [0011] Regardless of the telephone communication 
system, when a subscriber places a call, his or her tel- 
ephone indicates to the service provider the identity of 
the caller for billing purposes. The service provider must 
then "authenticate" the identity of the caller in order to 

30 ensure that he or she is an authorized user. 

[0012] The GSM authentication scheme is illustrated 
or prior art Rgures 'I and 2 i his noinenlicalion scheme 
includes a home location register (HLR) 10, a visiting 
location register (VLR) 20 ind ir ob 

as 30, which includes a UIM 32. When the mobile terminal 
30 places a call, a request is sort! to the home location 
t I I ' ' goer i-'tes an - i he tr c Upioi 

(RAND, SRES, K c ) from a root key Kj. The triplet in- 
cludes s random number RAND, a signed response 

40 SRES, and a session key K c . The triple; Is provided to 
the visiting location register 20, which passes the ran- 
dom number RAi^D to the mobile terminal 30. The UIM 
32 receives the random number RAND, and utilizing the 
i i ii ! rkND, andanaig itl r 

45 A3, calculates a signed response SRES. The UIM 32 
also utilizes the root key K, and the random number 
RAND, and an algorithm AS to calculate the session key 
K c . 

[0013] The SRES, calculated by the UIM 32, is re- 
so turned to the v s ' A C which com- 

o-r> ! feci T < c r i the home 

location register 10, in order to authenticate the sub- 
scriber using the mobile terminal 30. 
[0014] m the GSM "challenge/response" auihentica- 
ss tion system, the visiting location register 20 never re- 
ceives the root key Kj being held by the UIM 32 and the 
home location register 10. The VLR 20 also does not 
need to know the authentication algorithms used by the 
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HLR 10 and UiM 32. Also, in the GSM authentication 
schema, the triplet must be sent for every phone call by 
the home location register 10. RAND is 128 bits, SRES 
is 32 bits, and K c is 64 bits, which is 224 bits of data lor 
each : eq;je:-s;1, which is a significant data load 
[0015] The IS-41 authentication scheme, used in U. 
S. TDMA, CDMA and AMPS systems, is illustrated in 
prior art Figures 3(a), 3(b) and 4. This authentication 
scheme involves a home location register (HLR) 40, a 
-i ' 5 1 i 'I " „ ' so I r^i r 3l 
■MT) 60, which in (i a UiM 62. The root key. known 
as the A_key, is stored only in the HLR 40 and the UIM 
62. There is a secondary key, known as Shared Secret 
Data SSD, which is sent to the VLR SO during roaming. 
SSD is generated from the A. .key and a random seed 
RANDSSD using acryp >r - ( m a<3 1 -jstrat- 

sd in Figure 3(h). In the IS-41 network, this algorithm is 
CAVE (Cellular Authentication arid Voice Encryption). 
When the MT 80 roams to a visiting network, the VLR 
50 sends an authentication request to the HLR 40, which 
responds by sending thai subscriber's SSD. 
[001 6] Once the VLR 50 has the SSD, it can authen- 
ticate the MT 30 independently of the HLR 40, as illus- 
trated in Figure 3(b). The VLR 50 sends a random 
number RAND !o the Ul M 62 via the MT 60, and the UIM 
62 calculates the authentication response (AUTHR) us- 
ing RAND and the stored value of SSD in UiM 62, AU- 
THR is returned to the VLR 50, which cheeks it against 
the value of AUTHR that it has independently calculated 
in the same manner. If the two AUTHR values match, 
the? MT 80 is declared valid. 

[001 7] This scheme Is efficient in two ways. One, the 
amount.of data passed over the long-distance signaling 
link between the HLR 40 and the VLR 50 is very small 
(the 1 28-bit SSD), and one such transfer is sufficient for 
the entire registration period. Two, the VLR 50 may au- 
thenticate the user before assigning a traffic channel 
which Is possible because RAND can be generated lo- 
cally and need not be. genei tod by ho LR 40 
[0018] L j i i t . n session ' v the inter- 

nal state of the CAVE algorithm is preserved after the 
authentication calculation. Several levels of encryption 
keys- are then calculated using the post-authentication 
state of CAVE and the current value of SSD, as illustrat- 
ed in Fig. 4. 

[0019 he 1 i < labile Toiecom 

munications - 2000 (IMT-2000) standards development 
effort is to provide a global telecommunications system 
which wiii support ones scription anywhere in the 
world and will also permit a subscriber to "roam global- 
ly". In order to realize this system. Interfaces must be 
provided between the various systems (GSM, IS-41, 
PDC. etc.) w t ( 

terns to "roam" into other systems. Currently such "glo- 
bal" roaming is unavailable. The International Telecom- 
munication Union (ITU) is working to develop standards 
which allow global roaming which will be accomplished 
with a standardized network-to-network interface (NNI) 



and UiM-MT interface, which must be capable of pass- 
sg messages i nation c the 

Identity of each caller. 

[0G20] Several types of global roaming are permittee 
s including: removable UIMs, mufti -mode terminate (ter- 
minate that can communicate with more if an onoair m 
terface standard), and downloadable UIMs (terminals 
which receive service profile information over the air). 
AN three roaming scenarios are equivalent for the pur- 
rs poses of the present invention. What darters is that a 
UIM from one network is visiting a network with a differ- 
ent authentication scheme, and shs UIM must be au- 
thenticated using the security architecture of the local 
network. 

is 

Summary Of The invention 

[0021] " pinenrii inversion the authenti- 

cation problem by providing an authentication interop- 
stability function (AIF) that permits the authentication of 
users as they roam between networks that use different 
authentication schemes. More specifically, interopera- 
bility is possible if one network uses stored authentica- 
tion iripinls and a second network uses shared second- 
25 ary keys, also known as shared series dala (SSD). 
[0022] An authentication Interoperability function 
(AIF) translates between the authentication schemes of 
each family of communication networks (IS-41 , GSM, 
PDC). The AIF may be located at the HLR (Home Lo- 
ss cation Register) or AC (Authentication Center) of the 
home network, the VLR (Visited Location Register) of 
the visited network, or as a stand-alone interworking 
function (IWF) located elsewhere in the network. 
[0023] When a user from a network thai natively uses 
& SSD authentication roams into a triplet-based network, 
i i i omfheci rent SSD. When 

a triplet user roams Into an SSD network, the AIF will 
produce SSD from iriplet(s). 

[0024] The AIF of the present application preserves 
-a' 1 the i i . - hi a n n .c 1 c ;m ^ j 

nication network family (GSM, IS-41, PDC), concen- 
trates the c h ■> ? ' > i 'Mr i on. lunieation 
networks eampahbia to the AIF, the iahnwor Lao-Network 
Interface (NNI), and the User- IdenlHy Module (UIM), and 
45 preserves the currenl level at seeunty in each system. 

Brief Descriptjoj^ 

[0025] 

so 

I gu 5 1 is a bio < diaj i ^ 
components of the prior art global system for mo- 
biles (GSM) network: 

ss Figure 2 is a prior art diagram of massage? trans- 
mitted in the GSM network; 

Figures 3(a) and 3(b) are block diagrams illustrating 
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the basic components of the prior art IS-41 network; 

Figure 4 illustrates the messages transmitted in the 
prior art IS-41 network iiiust rated in Figure 3: 

Figure 5 is a block diagram of a generic communi- 
cation system: 

Figure 6 is a block diagram of a generic mobile tel- 

A I II ^ ■ '- I 

Figure 7 is a block diagram illustrating how an IS- 
41 usor roams into a GSM network; 

Figui -i 
iS-4! network; 

Figure 9 illustrates the roaming IS-41 user in more 
detail: 

Figure 1 0 illustrates the roaming GSM user in more 
detail; and 

Figure 11 illustrates a general network interface. 

0.9-tgQed [.DMcrjetfon Of The I nvention 

[0028] The present Invention discloses how to au- 
thenticate a global roamer in IMT-2000. An authentica- 
tion interoperability function is provided that integrates 
the authentication architectures oi Stv 1AI i i 
.VI A P. 

function (AIF) translates between the authentication 
schemes of the two families (for example, IS-41 and 
GSM). When an IS-41 user roams into a GSM network, 
the AIF produces triplets from the current SSD. When a 
GSM use: roams into an I ' F ; i < 

es SSD from a single triplet. 

[0027] Figure 5 illustrates a basic communication sys- 
tem. A terminal 102 communicates with a network 104, 
which is connected to an authentication center 1 06. The 
network 104 is connected to a second network 114 via 
a Network-to-Network interface (NNI) 222. The network 
114 is connected ton terminal 116 and an authentication 
center 1 1 2. 

[0028] K basic mobil mmun on sysl n 
trated in Figure 6. 

[0023] In the embodiment illustrated in Figure 6, the 
i . i r: 1 it - 0 ji 1 i > 

register (VLR) 004 belong 1o the first network 218 and 
mo !o < - 506 and ^siting a 

fion register (VLR) 308 belong to the second network 
220. When the firs! network and the second network uti- 
lize different authentication schemes for authenticating 
js^ ) i n i ■ a problem 

arises regarding how the user is authenticated. The 
present invention - solves his ! by proviorng an 
authenticate!! bi i r ^ 



between the authenticaiion schemes of the two net- 
works. The authentication interoperability function dis- 
closed in the present ap i bos how to au- 
thenticate a "global" roamer, such as within IMT-2000. 

s This authentication interoperability function integrates 
the authentication architectures of two m whir 
utilize different authentication schemes, such as the 
GSM network and the IS-41 network. A more detailed 
illustration of the network elements utilized in the GSM 

io network and the IS-41 network is illustrated in Figures 
7 and 8. 

[0030] Figure 7 illustrates thai the Sin;; network 2 18 is 
i GSM wo 1 j ne >mc I x at on 

register 302, a visiting iccalion register 304, and a mo- 
ib bile terminal 31 0 with UIM 312. The second neiwot k 220 
is an IS-41 network which Includes a home location reg- 

" , ) ■,:= I;:,,-; h 5 . . T -. 1 H Habile 

terminal 311 with UIM 312 The authentication interop- 
erability function 314 is utilized when the user of UIM 
so 312 roams to another system, such as fhe GSM net- 
work, as illustrated in Figure 7. 
[00311 Figure 3 illustrates the converse situation, 
■where a user from the GSM network roams to the IS-41 
network 

25 

iS-41 User Roaming in a OSMJrj&tjWork 

[0032] When an I S-4'1 user roams to a GSM network, 
the AIF 314 generates an authenticaiion triplet from 

30 SSD. As illusiraled in Figure 9, the HLR 306 sends iho 
currently stored SSD to fhe AIF 314, which uses the 
D to 9 t ch i enl to VLR 304 

Then, she VI , t is the UIM 31 2 by send- 

ing RAND to ths UIM 312 via the MT 310. The UIM 312 

35 generates SRES and K 0 with RAND and SSD and sends 
SRES and K c to the MT 310. The MT 310 sends SRES 
to the VLR 304, which compares this SRES with the 
SRES received from the A! F 31 4 to authenticate the us- 
er. The GSM VLR 304 sends a request fo tnpie s across 

*> the Neiwork-1o-Network interface (NNI) 222 to the AIF 
314 via a registration notifi >n iceeago (NN 
NOT). The AIF 314 retrieves trie user's SSD from ths 
IS-41 HLR 308 and uses I! to calculate triplets (RAND, 
SRES, K c ). The triplets are sent to the GSM VLR 304 

45 via the' f|,v m i - j riml he AIF 314 
is equipped with CAVE (or the currenl auihen!ic«1ion al- 
gorithm In the IS-41 network';; Common Cryptographic 
Algorithms (CCA)}, which will be used to generate the 
triple s ne to s triplet j 

so does not need to know the aulhentieation algorithm; the 
algorithm only resides in the UIM 31 2 and the IS-41 HLR 
306. in other words, the GSM VLR 304 does not need 
to have CAVE. 
[0033] The > 

55 eters differ between Ihe IS-41 and the GSM networks 
To generate a GSM authentication pair from an IS-41 
SSD, the size conversion is performed at fhe AiF 314: 
in particular, the AIF 314 generates a 32-bit RAND, cal- 
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culates an 18-bit authentication response AUTHR, us- 
ing ihe CAVE algorithm, using the 32-bit RAND, a 64-bit 
SSD.. A, an identity value, and the authentication data 
AUTH..DATA. The AIF 314 aiso generates a 128-bit 
RAND from the 32-bit RAND and generates a 32-bit 
S RES from the 1 3-bit AUTH R by padding on the Sell with 
zeros of dummy values. 

[0034] Normally, during authentication of an IS-41 call 
origination, the dialed digits are used as the authentica- 
tion data AUTH_DATA, which provides protection 
against replay of a global challenge. This is not done in 
the GSM network because the triplet might be calculat- 
ed in advance, when ihe dialed digits are not known in 
addition, a triplet is only used once; therefore there is 
less danger of a replay attack. Therefore, when gener- 
ating a GSM triplet from SSD, AUTHJ3ATA is set to in- 
ternational mobile subscriber identity (IMSI) as it :s dur- 
ing a unique challenge. 

[00351 The third parameter of the GSM triplet, after 
RAND* and SRES, is the ciphering key K e . CMEA_KEY, 
the 84-bit root encryption and voice privacy key, is used 
for this purpose. CMEA_KEY is generated by the AIF 
314 as defined in the IS-41 CCA as: 
K C . 64 ^CMEA..KEY 64 ::CAVE ; (SSD..3, AUTH.. STATE). 
v A F i t i in i i 

of 0AVF-" " ^ h £ ■ j i i a o th-j - i i i ■ - 
sponse. 

[0036] Once K e is determined, the triplet is complete 
and is sent to the GSM VLR 304 via the IS-41 HLR(306) 
and AiF 314 in the NN! REGNO'!' response message as: 
NNi REGNOT [RAND t2S , SRES^, K^]. 
[0037j Once ihe GSM VLR 304 receives the triplet, 
authentication ot the IS-41 phone proceeds as usual, 
except that the UIM 312 calculates the authentication 
parameters using CAVE. This process is transparent to 
the GSM network 213 and is conventionally performed 
in, i rnid» £ I m ( i t v ! iii 

that the following messages are created and ex- 
changed: 

VLR 304 ->MT 310: RIL3-MM AUT-REQ 
[RAND 128 ]; 

MT 310 -»UIM 312: UIM AUTHREQ [RAND 128 j ; 

UIM 312: extracts RAND 32 frorn RANO m ; 

UIM 352: AUTHR 1S =CAVE {RAND 32 , SSD.A^, 
[Identity]. AUTH DATA). 

UIM 312: 3RES 32 =AUTHR 18 padded on the left 0 
or random dummy bits: 

UIM 312: K C =CMEA_KEY 64 =CAVE(SSD_B, 
AUTH_STATE) ; 

UIM 312 -> MT 310: UIM authrsq [S.RES 32 , K oS4 ] ; 
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MT 310: stores K 0 for ciphering; 

MT 310 -> VLR 304: RIL3-MM AUT-.RESP 
[SRES 32 J. 

[0038] The UIM 312 use the t2B-bit authentication 
challenge (RAND I28 ) as a parameter and provides a 
32-bii authentication resj on s (SRES) and a 64-bit ci- 
phering key (K c ). 

GSM User Roaming in an IS-41 Network 

[0039] When a GSM user roams in an IS-41 network, 
the goal Is to create Shared Secret i (SSD) iisiwsgii 

is the IS-41 VLR 308 and the UIM 312 within the mobile 
tormina! 310. As illustrated in more detail in Figure 10, 
two triplets are sent from the HLR 302 to the AIF 314, 
which uses .them to generate SSD update parameters, 
which are sent to the VLR 308. The VLR 308 sends 

£0 RANDGSM._A and RANDGSM_ .B to the UIM 31 2 via the 
MT 311. The UIM 312 uses RANDGSM„A and 
RANDGSM. B to calculate K CA and K CB which are 
stored as ihe new value, of SSD. Thereafter, for each 
system access, ihe VLR 308 authenticates the UIM 312 

ss independently of the HLR 302, 

[0040] using SSD, according to the authentication 
procedure defined in IS-41 . 

[0041] The idea is to use triplets to generate the pa- 
rameters required to perfoi 

so is that the IS-41 VLR 308 shares a key (SSD) with the 
UIM 312 of the roaming GSM user. Subsequently for 
each system access, the key can be used with any au- 
thentication algorithm common between the UIM 312 
and ihe IS -41 VLR 308. 

3A [0042] Upon detecting a registration attempt from a 
GSM user, the IS-41 VLR 308 alerts the AIF 314 with a 

] i I NN 3" i f> k|£ n ^ 

Air 314 then requests two triplets from the GSM HLR 
302 of the GSM user. This process is transparent to the 
GSM network 218 and irs done in accordance with the 
standards set forth by ETSI, such that the following mes- 
sages are created by ihe HLR 302 and exchanged with 
(he AIF 314: 

4S HLR 302: Generate 128-bit RANDGSM..A, 
RANDGSM..B 

HLR 302: K, A AB (RANDGSM.. A, K|) ; 

so HLR 302: K C _B=A8(RANDGSM_B, K{) ; 

HLR 302 -> AIF 31 4: (RANDGSM A, SRES, K^A), 
(RANDGSM... B, SRES, K C ..B] ; 

ss [0043] The AiF 314 sends the SSD Update parame- 
ters back to the IS-41 VLR 308 in the response to the 
1 _ , . T3NOT): 
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A1F 314: NewSSDInfo=: (1V-A, K^B) ; 

A!F 314 --> VLR 308: NNi regno! [RANDGSM_A, 
R A NOGS M...B, NewSSDI nfo], 

NewSSDinfo has two pasts: NewSSD^A-K^.A, 
en;; NewSSD B-K c B. 

[0044] The iS-41 VLR 308 performs a modified SSD 
Update procedure with the m 310 (via the IS-41 AU- 
f r> 1 " i ii" e that tins requires the air interface 
to carry the 128-bit RANDGSM parameters) after insert- 
ing the parameters RANDU and AUTHU. These two pa- 
rameters are used dining the unique challenge which is 
p( '"i icd x o SSO Updalo. Nc is may re 

quire changes to IS-41 to allow for the larger (128-bit) 
RANDGSM parameters to be passed. The following 
> . , i i ■ i I ' ,< .' vTigori. 

VLR 308: Generals random challenge RANDU 

VLR 308: AUTHU=CAVE(RANDU, NewSSD A, 
. [identity]) 

VLR 308 -s MT 310: SSD_UPDATE. GSM 
[RANDGSM..A. RANDGSM.. 3], 

[0045] The MT 31 0 passes the parameters to the UIM 
312 (in the proposed message UIM UpdatessD); which 
CHlculales the new SSD: 

MT 310 -» UIM 312: UIM UpdateSSD 
[RANDGSM_A, RANDGSM_B1 ; 

UIM 312: SSD_A~A8(RANDGSM_A, K,); 

UIM 312: SSD_B=A8)RANDGSM_b. k,); 

UIM 312: NewSSD=(SSD_A, SSD_B) ; 

[0046] Shared secret daia now exiele between the IS- 
41 VLR 308 and the GSM UIM 312. For the res- of the 
registration period, the UIM 312 uses SSD.. A rather 

till !\ SOU i c> if III 

ciphering keys are calculated with the secret SSD_B. 

A Common Authenti cation Al&oriynm 

[0047] etween the 

IS-41 VLR 308 and the UIM 31 2 "in order lor the VLR 
308 to perform authentication and session key genera- 
tion with the mobile terminal 31 0. there also needs to be 
a common crypt I thi aiec between the 

two entities. This algorithm could be gave, A3/AS, or 
any other auiliPi it ' > k \° ci >' - 0v ' 7i 
[0048] If ! is th-i iqc- iti o i i 
312, CAVE is inserted into the UIM 312 along with the 
algorithm A3. When in a native GSM network, A3 is used 



with the root key Kj. When roaming into an IS-41 net- 
work, CAVE is used with the SSD as described above 
[0049] if the changes are to be isolated in the IS-41 
network, the algorithm A3 is included in the IS-41 nei- 
£ work. The IS-41 VLR 303 would then use GAVE to au- 
thenticate native IS-41 phones, and A3 io authenticate 
GSM roamers. 

Interoperability with PDC 

[0050] The Japanese PDC signaling MAP uses an au- 
thentication scheme that is very close to a triplet-based 
architecture . When loaming users register in a visited 
network, there are two versions of the Inter-Network Au- 
,£ the i I ormation Retrieval Message wi sh is 

sent tram the home network to the visited network. One 
version simply sends to the Subscriber Authentication 
Key. The other version sends the Authentication infor- 
i t si -, t i ->n number, signed 

20 response, and the ciphering key -i.e., it is an authenti- 
cation triplet Therefore, PDC is equivalent to GSM in 
terms of interoperability with an SSD-based network like 
IS-41 . Since both PDC and GSM networks use a triplet- 
~ ui „ it ' i i b r i i s n I- 

25 tively easy. However, there is an incompatibility issue 
regarding the size of the signed response parameter, 
which is 32 bits in GSM and B4 bits in PDC. One solution 
is to simply disregard 32 bits of the response returned 
by the PDC UIM when a PDC user roams to a GSM net- 

so work. This provides 32 bits less secu rtty than PDC users 
are accustomed io. 

Security 

[0051] The authentication interoperability function 
discussed above is designed to preserve the level of se- 
curity currently enjoyed by each system, in tine example 
above, the GSM and IS-41 networks. 
[0052] IS-41 users are currently authenticated with 

40 32-bit challenges and 1 8 -bit responses. The level of se- 
curity does not cbangc when those parameters are em- 
ber; o^d ir r fields within a GSM triplet. 
[0053] GSM users are currently authenticated with 
1 28-bit challenges and 32-bit responses. Authentication 

4£ oi GSM users while roaming in an IS-41 network is done 
with IS-41 size security parameters, which have fewer 
bits of real security (\8-b\\ AUTHR vs. 32-bit SRES). 
However, the security oi GSrVi users at homo within their 
own system is not lessened. In addition, the security of 

50 i )1 1 c <iming in an 

IS-41 ru i "~ In place of Kj 

and b) the d f c i i f w? ack to the root key from 
a challenge/response pair in S fee of key 

of AUTHR) = 64-1 8 = 48 bits, which is more secure than 

55 in GSM where s 

j - ace to 64-32 - 32 bits. 
[0054] One important impact on IS-41 users is that 
there is no way to do SSD Update when roaming in a 
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GSM nelwork If the current SSD is compromised or cor- 
rupt, there is nothing that can be done until the user 
roams back into an iS-41 network. Additionally; this im- 
plies ill , in cu\ i ption (ac- 
cess the network for the first time) white roaming in a s 
GSM network, because no SSD is yet available. 
[0068] GSM triplets arc currently used only for a sin- 
git i I I ! i CI A A :C > en;i c 
when a G 3!v1 user asanas into a 15-41 network, a single 

i >i ft ill i r A 1 > | | !0 

calls. 

[QOSSj However, SSD. A is 64 bits long, which pro- 
vides, twice the bite of security as the 32-bit SRES in a 
triplet. The level of security cannot bo more- than 64 bile 

■> < ■> 'cry jec ed from the 64-b « 

root key K s . On the other hand, authentication Is now 
dependent on A8, which is used to generate SSD...A 
The security implications of this are not known. 
[0067] Regarding export regulations, the ciphering 
keys described in this application are 64-bit numbers, so 
However this can always be lessened to conform to 
government restrictions. In fact, the UIM AUTHREQ 
message could be d i i h m 

eter which dictates the size of the ciphering key. This 
way, longer keys can be used domestically white still ss 
provi ling the capability to roam into global markets thai 
have shorter key sizes. 

[0058] Although the description above discusses 
roaming between the GSM network and ihe IS-41 net- 
work, the AIF 314 of the present invention facilitates 30 
communication between any stored challenge/re- 
sponse pair authentication network and any primary 
key/shared secondary key authentication network. In 
^ i . ! i' 1 1 (rated tn Figure 11, the first network 
218 includes an authentication data base 402 and an 35 
intermediary 404. Similarly, ihe second network 220 in- 
cludes an authentication data base 406 and an interme- 
diary 408. The Al F 31 4 of the present invention enables 
user 410 to roam between the first network 21 Band the 
second network 220. as described above. Additionally, 40 
although Figures 7-il iiisrsirnis ihe AIF Ft4as a stand - 
Etio e I ctV v'y C 1 I ill !■ ,. ' 3'. , : vL "I vte IV <ht 

AIF 31 4 may be built into any one or more of the HLR 
302, VLR 304, HLR 306, or VLR 30G of Figures 7-10 or 
any one or nc of the auti ition 1a t e 402 4S 
intermediary 404, authentication data base 406, or in- 
termediary 408 of Figure 11. . 



Claims 

1 . An authentication interoperability function for facili- 
tating authentication of a user from a first network 
when the user is in a second nelwork, caving a dif- 
ferent auihenti lis ■ heme from ihe first nelwork, 
said authentication interoperability function receiv- 
ing a chai en tee pa from an authentica 
;ion data base in the first network, creating a sec- 
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1 anc 
sending the secondary key to an intermediary In the 
second network to authenticate the user from the 
first network. 

2. "fhe I " > ' i iio-r.iv I ji c ol claim 
1 , wherein the user is a mobile telephone subscrib- 
er. ■ 

3. The ae'ehen: cation interoperability function o! claim 
1, wherein the first network is a Global System for 
Mobiles (GSM) network, the second network Is an 
IS-41 neUc ' i i c j , 
neonate.' ,n the iS-i I x'> a i\ t\,ia\ ..• < 
data base is a homo location register in the GSM 
network. 

4. The authentication interoperability function of claim 
3, wherein ihe authentication interoperability func- 
tion is colocated with the home location register in 
the GSM network. 

5. The authentication interoperability function of claim 
5 wl ami uiiiientieaiion interoperat t\ tun.. 

tion is colocated with the visiting location register in 
the IS-41 network. 

S. The authentication interoperability function of claim 
3, wherein the authentication interoperability func- 
tion is a stand alone nelwork entity. 

7. The authentication interoperability function of claim 
1 , wherein an authentication scheme of the first net- 
work is a store challenge/response pair aulh tica 
tion scheme and ah authentication scheme of the 
second network is a primary key/shared secondary 
n ' i Ik i , j k 1 1 t nie 

8. An authentication interoperability function for facili- 
tating authentication of a user from a first network 
when the user is In the second network, having a 
different authentication -scheme from the first nei- 

J 1 t I i Mil if ^ y ft k >\v 

receiving a secondary key from an authentication 
data base from the first network, creating a chal- 
enge esp nsc ; :r from the secondary key, and 
iciing that e pair to an informs 

diary in the secot id ic < t iticate the user 
from the first network. 

9. The authentication interoperability function of claim 
8, wherein the user is a mobile telephone subsenb- 



10. The authentication interoperability function of claim 
8, wherein the first network is an 3-41 network, the 
second network is a Global System for Mobiles 
(GSM) network, the tnte s a visiting ! 
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tion register in the GSM network, and the authenti- 
cation data base is a home location register in the 
IS-41 network. 

11. The authentication interoperability function of claim 
10, wherein the authentication interoperability func- 
tion is coiocated with the home location register in 
the IS-41 netwotk 

1 2. The authentication interoperability function of claim 
10, whs ci i roperabiiityfunc 
lion Is GoioMxed with the visiting tocaf ion register in 
the GSM network. 

1 3. The authentication interoperability function of claim 
10, wherein the authentication Interoperabiiity' hmc- 
linn is h rshdcJ alone network entity. 

1 4. T ' , I ' i i1 r i l - -i i i , i f 

. 8, wherein an authentication scheme of the first net- 
work is a ptirnary key/shared socondsry key su- 

i > <1l£, P J! ! I I I 

of the second network is a stored challenge/re- 
sponse pair authentication scheme. 

15. A method of authenticating a user from a first net- 
' < whon Iho user i c j 
a different authentication scheme from the first net- 
work, said method comprising the steps of: 

receiving a cbalenge/response pair from an 
authentication daia base in the first network; 

generating a key from the challenge/response 
pair; and 

authenticating the user based on the key. 

16. The method of clasrn 15, wherein the key is a sec- 
ondary key generated from a primary key. 

1 7. The method of claim 1 5. wherein the user ie a mo- 
bile telephone subscriber. 

1 8. The method of claim 15, where x i 

is a Global System for Mobiles (GSM) network, the 
second network is an IS-41 network, and the au- 
thentication data base Is a home location register in 
the GSM network. 

19. The method of claim 15, wherein an authentication 

i e of iho 1 neiv.'Ofi >re< n< 

response pair authentication scheme and an au- 

c L (.SCO S £ * \I3e '1! 

nan key/shared set x > ■ \ J ' ■£ i it atic i 
scheme. 

r 5 tusei from a first net- 



work when the user is in a second network, having 
a different ft eai n the first net- 

work, 3< 3 

s geneianrt') a c 1 , ,<i from a 

key; 

iraneniillino the il . ^ i pair loan 
intermediary in the first network; 

authenticating the t;sei eased on the challenge/ 



21. i ho method of claim 20, wherein the key is a see- 
rs ondary key generatad from a primary key. 

22. The method of claim 20, wherein the user is a mo- 
bile telephone subscriber. 

so 23. The method of claim 20, wherein the first network 
is an !S-41 network, the second network is a Global 
System for Mobiles fGSivi) network, arid the authen- 
tication data base is a home location register in the 
IS-41 network. 

2S 

24. The method of claim 20, wherein an authentication 
scheme of the first network is a stored challenge/ 
response pair authentication scheme and an au- 
thentication scheme of the second network is a pri- 
st? mary key/shared secondary key authentication 

scheme. 

25. An interface for authenticating a user from a first 
network when the user is in n second network, hav- 

35 ing a different authentication scheme from the first 
network, said interface comprising: 

a message containing a challenge/response 
pair from anautbont cation database in the first 
40 network to an intermediary in the second net- 

work. 

26. T v n 25. wherein the user is a mo 
bile telephone subscriber. 

27. Tne interface: of claim 25, wnerein trie tirgf network 
is a Global System for Mobiles (GSM) network, the 

net network is ■■ 5-4 network flic tuff mi 
cation data base is a home location register in the 
so GSM neiwn * i . 

cation register in the IS-41 network. 

28. The interface of claim Afhere i authentication 
scheme of the first network is a stored challenge/ 

5$ mspon&e pair ai.ffherilicaiion scheme and an au- 
thentication scheme of the second network Is a pri- 
mary key/shared secondary key authentication 
scheme. 
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29. The interface of claim 25, wherein the first network 
is an iS-41 network, the second network is a Global 

System for W 

ic i ;ase is a h stei :n the IS- 

41 ! i a / i i \ i 

tion register in the GSM network. 

30. The interface of claim 25, wherein an authentication 
scheme of the first network is a primary key/shared 
secondary Key authentication schemer and an au- 
thentication scheme of the second network is a 
stored challonqo/'rcsponso pair authentication 
scheme. 

31. An interlace for authenticating a user from a first 
network whan the user is in a second network, hav- 
ing a < - - t i j i - i - scheme f i it 
network, said interface comprising: 

a message containing a challenge from an in- 
termediary in the first network to the user and 
a response from She user io the intermediary in 
the first network. 

32. The interface of claim 31 , wherein the user is a user 
identity module (UIM) of a mobile telephone and the 
intermediary is a visiting location register. 

33. The interface of claim 32, wherein the first network 
is an IS-41 network and the second network is a 
Global System for Mobiles (GSM) network. 

34. The interface of claim 32, wherein the first network 
is a Global System for Mobiles (GSM) network and 
the second network is an IS-41 network. 

35. The interface of claim 31 , wherein the message fur- 
ther contains a random number challenge from the 
intermediary in the first network to the user from 
which the user can generate a key. 

36. The interface of claim 35, wherein the user is a user 
identity m uk 'civ'; - c i i ^'i k a 
intermedia y is a < sn register. 

37. The interface of claim 35, wherein the first network 
is an IS-41 network and the second network is a 

m for Mobi \ ?rl 

38. The interface of c iim ' \ \ l " irs netwc k 
is a Global System tor Mobiles (GSM) network and 

t ^ j \ ✓ n a S-41 network. . 

39. An interme iticating ser from a firs 
network when the user is in a second network: hav- 
ing a different authentication scheme Iron; i 
network, said intermediary comprising: 



a receiving element for receiving a challenge/ 
response pair from an authentication data base 
in the first network; 

s agenerat generating a key from 

the challenge/response pair; 

an authenticating element for authenticating 
she user basso on the key. 

70 

40. The method of claim 39, wherein the key is a sec- 
ondary key generated from a primary key. 

41. The method of claim 39, wherein the user is a mo- 
rs bile telephone subscriber. 

42. The intermediary of claim 39, wherein the first net- 

k " i '1 net 

work, She second network is an IS-41 network, the 
. y data base in the first network is a 

home tecs \\™- reg s work, and the 

j i a at c i 1h IS- 

41 network. 

25 43. The method of claim 39, wherein an authentication 
scheme of the firs! network is a stored challenge/ 
response pair authentication scheme and an au- 
thentication scheme of the second network is a pri- 
mary key/shared secondary key authentication 

so scheme. 

44. An authentication oats »ass from facilitating au- 
thentication of a user from a first network when the 
user is in a second network, having a different au- 
35 thervtication scheme from the first network, said lo- 
cation register comprising: 

a generating element for generating a chal- 
lenge/ response pair from a key; 

a transmitting element fortranemitting the chal- 
lenge/response pair to an intermediary in the 
first network which authenticates the user 
based on * i - .. or pair. 

io key is ndary key gt 3d from r 



so 48. The authentication data base of claim 44, wherein 
the user is a mobile telephone subscriber. 

47 Tnc r \( tea c o-ia . --( > ; -i" M wh. ic i 
the first network is a Global System for Mobiles 
55 (GSM) network, the second network is an IS-41 net- 
work, ihe intermediary in the first network is a visit- 
ing location register In the GSM network, and the 
authentication data base is a home location register 
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in the IS-41 network. 

48. The method of claim 44, wherein an authentication 
scheme of the ft si network is a stored challenge/ 
response pair authentication scheme and an au- s 
ihentication scheme oi the second network is a pri- 
mary key/shared secondary key authentication 
scheme. 

49. An intermediary for authenticating a user from afirat *> 
network when the user is in a second network, hav- 

nu, ,1 r:< ii ,r r; iw t:" - „ \ OT) r lia 

network, said intermediary comprising: 



an Ur . in') I in it < n ii - i i ,?o 
the user based on the challenge/response pair. 

50. 

ondary key generated from a primary key. 

51. The method of claim 49, wherein the user is a mo- 
bile telephone subscriber. 

52. The intermediary of claim 49, wherein the first net- 
work is a Globa! System for " ^ - , , > 30 
the second network is an IS-41 neiwork, ii to authen- 
tication data base is n home location register in the 
IS-41 network, and the intermediary is a visiting lo- 
cation register in the GSM network. 

53. The method of claim 49, wherein an authentication 
scheme of the first network is a stored challenge/ 
response pair authentication scheme and an au- 
thentication scheme of the second network is a pri- 
mary key/shared secondary key authentication <o 
scheme. 



5S. The authentication data base of claim 54, wherein 
the user is a mobile telephone subscriber. 

57. The authentication data base of claim 54, wherein 
the first neiwork is a Global System for Mobiles 
(GSM) network, the second network is an IS-41 net- 
"uk ' i > n i v i n . i< ^ - L! 
in 1\ IS-41 -p «.v"if an h< ai k U i ^.n j( i 
base is a home location register in the GSM net- 
work. 

58. The authentication dala base of claim 54, wherein 
an authentication scheme of the tire; network is a 
stored challenge/response pair authentication 
scheme and an authentication scheme of the sec- 
ond network-is a primary key/shared secondary key 
authentication scheme. 



a receiving element for receiving a challenge/ « 
response pair from a an authentication data 
base in the second network, which generated 
Ihn chationge/responss pair from a key; and 



54. An authentication data bass for facilitating authen- 
tication of a user from « first network when the user 

is in a second network, having a different authenti- 45 
cation scheme from the first network, said location 
register comprising: 

a generating element tor generating a key from 
a challenge/response pair; so 

a transmitting element for transmitting the key 
to an intermediary in the second network which 
authenticates the user based on the key. 

55 

55. T authei Jata ba f claim 54 «he ei 
the key is a secondary key gnerated from a primary 
key. 
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